Lora Bentley spoke with Ben Chelf, CTO, Coverity, Inc., which recently released the results of its first Department of Homeland Security-funded security audit of open source software.
Bentley: How did you decide which open source programs to evaluate?
Chelf: The packages that we analyzed were the ones that we felt were a reasonable first cut at a cross-section of open source projects. The plan has always been to continually expand the list, since no list of open source projects is ever truly complete. We designed the framework with this in mind - now that we've set it up, we can easily add new projects and start getting results for them within a matter of hours. We've already received many requests for new projects to scan and are looking forward to expanding the scan in the weeks to come.
Bentley: Did anything in particular stand out about the results?
Chelf: Clearly, the performance of the LAMP stack compared to other open source projects stands out. The fact that these packages fared so well in our analysis backs up the prevailing notion that they are very reliable and secure. Another thing that stands out about the results is the response that the community has had upon reviewing them. In just a few days, dozens of patches have been submitted to the open source packages we scanned. This really validates the usefulness of the results that we are providing. The community is very good about fixing bugs once they know about them; we hope that our results can be used to add to the already existing manpower as an aid to find as many bugs as possible and speed up their development.
Bentley: What's the next step?
Chelf: More scans, more bugs. I'm seeing a lot of demand for more projects and more versions of existing projects to be scanned. I am actively engaging with the community to make sure the results we provide are as useful as possible. Since our goal is to make this technology useful in the long term, I hope to help the community define the best next steps for this audit. If the initial response is any indication, it should be a very exciting journey for this project.